[tor-talk] Secure DNS Addresses

l.m ter.one.leeboi at hush.com
Sun Apr 5 21:49:29 UTC 2015


Hi,

evervigilant at riseup.net wrote:
> If anyone has good intel on some really secure DNS
> addresses that would be great currently I'm using 
> my VPN provider DNS servers and would like to
> have some more numbers to add to my list.

You  might consider security and DNS a bit of a joke in that security
wasn't  a major design goal. DNSSEC is an extension which is meant to
provide  assurance that the response is authoritative. It doesn't
encrypt the  request, it only signs the response. This means it would
act  as a side-channel, or information leak if used together with Tor.
Using Tor for DNSSEC resolves is expensive and slow, slower if the
exit were to tamper. 

Having said that you might look into dnscrypt as a method to secure
the client-DNS resolver traffic. It supports forcing DNS over TCP if
needed. Some dnscrypt-supporting resolvers also provide DNSSEC.
Consider however that *any* local dns resolution together with Tor can
act as an information leak. All an adversary needs is to know is which
resolver you use and then watch the traffic generated by the resolver.
At some point that traffic will be unencrypted.

Do keep in mind some resolvers (like OpenDNS dnscrypt) provide
features where the *apparent* client can monitor and filter requests.
This might be a concern for you where MITM-like adversaries might
exist.

--leeroy


More information about the tor-talk mailing list